You don't need certs to be a pen tester, but they do help you differentiate yourself from other applicants when looking for a job.

Offensive Security and SANS both have reputable certifications. OSCP and GPEN would be good starting places from Offensive Security and SANS, respectively. They both have more niche and advanced certifications related to pen testing, but those are the staples. eLearn's eCPPT is a nice bridge between CEH and OSCP if you feel that the OSCP material might be too advanced for you.

CEH is a bit fluffy, but it is nice to have since it one of the more well-known ethical hacking/pen testing certs.

The CISSP is another one that's more of a personal marketing certification and not related to pen testing, but it is often expected/required for more advanced infosec roles.

In the Asian region of the world, you will often need to be CEH certified. In the UK (England), you will need to be CREST and/or CHECK certified (sometimes both), and in Australia, you will need CREST in the near future if the current situation here evolves.

In all countries, depending on the security level of your work, you may be required to be cleared for e.g. "SECRET" or "TOP SECRET", such as when you are working for the police, the military and federal agencies.

If you go to another country, there will most likely be certain jobs you cannot do which requires certain security clearances, as they often require you to be a citizen of that country and thus, hold a citizenship in that country.

Note: Some job offers, requires or asks for CISSP, but it is not a "requirement" for the actual job being performed, as CISSP won't prove whether you are a penetration tester or not. (Some CISSP and CEH certified professionals, actually remove these certifications from their CV's as the reputation can easily taint your image.)

Last edited by MaXe on Sat Nov 03, 2012 11:23 pm, edited 1 time in total.

MaXe wrote:In the Asian region of the world, you will often need to be CEH certified. In the UK (England), you will need to be CREST and/or CHECK certified (sometimes both), and in Australia, you will need CREST in the near future if the current situation here evolves.

In the Asian region, the qualification which is often referred to is C|EH, but it's not mandatory. SANS or OSCP is not well known for HR. In several countries, you need to be their citizens as a prerequisite.

MaXe wrote:In the Asian region of the world, you will often need to be CEH certified. In the UK (England), you will need to be CREST and/or CHECK certified (sometimes both), and in Australia, you will need CREST in the near future if the current situation here evolves.

In the Asian region, the qualification which is often referred to is C|EH, but it's not mandatory. SANS or OSCP is not well known for HR. In several countries, you need to be their citizens as a prerequisite.

CEH in common tongue however, is often removed from resumes by most serious penetration testers in developed Information Security countries such as Australia, England and USA, as it is frowned upon in the more serious infosec community. Some of my colleagues are "CEH" because they needed it to get the jobs they had, in e.g. India and other countries nearby. As they don't need to display it, they removed it from their LinkedIn profiles, as it is still seen as a joke (no offence intended) to many people.

So it may not be mandatory where you are currently located and working, but from what I heard from my colleagues that travelled and worked in most of the countries in the Asian region, they needed the certification, even though they didn't want it. (They would rather obtain Offensive Security certifications, which are less recognized in especially undeveloped information security countries, but also "SANS certifications" as well. (Actually it's GIAC providing certifications, as SANS only provides) courses.)

Not wanting to hi-jack the thread but I'm not sure I understand the logic behind removing certifications from CV's or LinedIn. I've achieved more respected and advanced certifications since gaining C|EH, but C|EH still holds a mention on my resume.

Regardless of opinions of particular certs, surely having a questionable (in some people's eyes, discussion for another thread) cert like C|EH is still better than an empty space in it's place?

Admittedly I sat C|EH with it's reputation in mind as a way to bypass HR filters rather than 'prove' technical capabilities, but I still sat the cert for a purpose. If you're not going to display a cert, why take in the first place?

To answer Root's original question: you don't necessarily need certs to to be a pentester, but if you want to find work you will likely need to be able to by-pass HR filters and pass minimum requirements in particular industries. Using the UK as an example, C|EH can often achieve the first, with CREST/CHECK providing the second (as MaXe has already stated). YMWV depending on location/business sector though.

Well, my plan is to make a company myself, penetration testing company.

I live in the Faroe Islands. It's right between Iceland and England.Only 50.000 people live there.

So, I don't really need a certification, right?

You don't need any information security certifications there, you just need to make sure you don't get into any legal trouble. For (some or all) PCI assessments you need insurance though. But that's not really penetration testing though.

I know where it is as one of my best friends is from there, plus I am from Denmark as well ;D

As the Faroe Islands and the rest of Scandinavia is not _that_ evolved in information security, you may find it hard to find clients in those countries as the big companies are already selling to those that actually wants to buy information security services. A lot of the companies in Denmark doesn't get external penetration tests done, as they haven't been hacked yet, so why should they? Insanity at high level ;D

Anyway, you can still create a penetration testing company and get clients in almost any country if you just meet their legal requirements if there is any, and if you are good at selling your services.

Keep in mind, that if you are going to do this alone, you will have to spend a lot of time on sales, management, etc., over penetration testing and the most important but also less interesting, reporting. :)

Andrew Waite wrote:Not wanting to hi-jack the thread but I'm not sure I understand the logic behind removing certifications from CV's or LinedIn. I've achieved more respected and advanced certifications since gaining C|EH, but C|EH still holds a mention on my resume.

Regardless of opinions of particular certs, surely having a questionable (in some people's eyes, discussion for another thread) cert like C|EH is still better than an empty space in it's place?

I would say it depends on the company you are applying at, if you only got CEH, and it's a highly technical and very serious company, they might think you're joking. No offence intended.

Andrew Waite wrote:Regardless of opinions of particular certs, surely having a questionable (in some people's eyes, discussion for another thread) cert like C|EH is still better than an empty space in it's place?

I would say it depends on the company you are applying at, if you only got CEH, and it's a highly technical and very serious company, they might think you're joking. No offence intended.

If you've not got the certs/experience/skills for any position, your application won't be successful, that's true of any industry. What I don't understand is people that have C|EH and higher/more advanced certifications dropping C|EH.

At a minimum it shows your development path to get to where you are now. All else being equal I'd hire a CHECK/CREST and C|EH applicant over 'just' a CHECK/CREST applicant.

Root, as Maxe states be aware of non-technical workload if working alone. A general truism for consultancy type roles seems to be 1/3 of your time chasing new work, 1/3 doing admin/paperwork and a 1/3 actual billable work. Just make sure you work the excess into your billable prices Good luck